Robert A. Uhl

Bootstrapping trust

SSH is a reasonably awesome tool: it enables encrypted, authenticated access to hosts across a network, whether across the LAN, across a WAN or across the Internet. But that authentication has a weak point: it defaults to Trust on First Use (TOFU); i.e., the first time one connects to a host, one is prompted about whether one wishes to trust that host or not. Most people just blindly trust the prompted key: after all, how likely is it that one’s very first connexion would be attacked? Well, probably not terribly likely. Still …

Here’s how one can prevent even a first-connexion man-in-the-middle attack from succeeding, using cloud-config (a standard for configuring a new machine used, among others, by DigitalOcean). Simply provide the configuration below as user data:

- mkdir /etc/issue.d
- (for k in /etc/ssh/ssh_host*.pub; do ssh-keygen -l -f $k; done) > /etc/issue.d/sshd.issue

This will print the SSH host key on the console login; you can use your cloud vendor’s remote console functionality to verify the SSH fingerprints before accepting the prompt. Of course, you have to trust your cloud provider — but if you don’t, then you really shouldn’t be using them at all!

After you have verified the initial key, you may wish to go in and rm /etc/issue.d/sshd.issue, in order to reduce the text in the login console.

Further steps

It would be really awesome to have a service which, on first boot, would generate a master host keypair and add the public key to the login console, then submit the SSH host keys, SSL keys and any other public keys to a Swiss-Army-knife CA, which upon approval would sign them and return them; an admin could then create a machine, open the CA UI, verify the signed submission and approve release.

But implementing that is a fair chore, while using this little cloud-config snippet is easy.